[Zeek] ja3 & ja3s with resumed tls
Daniel Guerra
daniel.guerra69 at gmail.com
Thu Jan 10 16:19:58 PST 2019
Hi Johanna
I was thinking the same but after the results i became insecure about this.
I have attached 2 examples.
Daniel
Example 1
resumed false
{
"cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"established": true,
"client_cert_chain_fuids": "[]",
"curve": "secp256r1",
"issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
"ja3s": "7d3eb4120cd50e889bcd3f3783be0f82",
"subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US",
"cert_chain_fuids": [
"FwvSeKet5kqNoujSf",
"FNxask2v3HjNVTB5ff"
],
"dest_asname": "AppNexus, Inc",
"next_protocol": "http/1.1",
"type": "tls",
"version": "TLSv12",
"sni": "ib.adnxs.com",
"src_ip": "192.168.1.93",
"src_port": 58443,
"uid": "Cfc50Q1EnIW0GAYWch",
"dest_ip": "37.252.172.40",
"validation_status": "ok",
"resumed": false,
"ja3": "b20b44b18b853ef29ab773e921b03422",
"dest_port": 443,
"timestamp": "2018-12-16T17:16:44.801Z"
}
next resumed true
{
"cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"established": true,
"ja3s": "02bdc318d9f618eea3e10d0a7ba25ba0",
"dest_asname": "AppNexus, Inc",
"next_protocol": "http/1.1",
"type": "tls",
"version": "TLSv12",
"sni": "ib.adnxs.com",
"src_ip": "192.168.1.93",
"src_port": 58446,
"uid": "CyYQVc1FuxLDABqxpj",
"dest_ip": "37.252.172.40",
"resumed": true,
"ja3": "334da95730484a993c6063e36bc90a47",
"dest_port": 443,
"timestamp": "2018-12-16T17:16:45.071Z"
}
Example 2
resumed false
{
"cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"established": true,
"client_cert_chain_fuids": "[]",
"curve": "secp256r1",
"issuerdn": "CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US",
"ja3s": "cabc8aadc20a64fa7156022319d177c0",
"subject": "CN=*.adnxs.com,O=AppNexus\\, Inc.,L=New York,ST=New York,C=US",
"cert_chain_fuids": [
"FCxxdLhSpJHRDMYv4",
"FYW4Fs3VrkciMfUhc6"
],
"dest_asname": "AppNexus, Inc",
"next_protocol": "http/1.1",
"type": "tls",
"version": "TLSv12",
"sni": "secure.adnxs.com",
"src_ip": "192.168.1.93",
"src_port": 55912,
"uid": "CvUDsF40fhpESTJlLd",
"dest_ip": "37.252.172.40",
"validation_status": "ok",
"resumed": false,
"ja3": "5c118da645babe52f060d0754256a73c",
"dest_port": 443,
"timestamp": "2018-12-27T15:43:45.898Z"
}
resumed true
{
"cipher": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"established": true,
"ja3s": "93174bff9e6f484d06ff9552fe757554",
"dest_asname": "AppNexus, Inc",
"type": "tls",
"version": "TLSv12",
"sni": "secure.adnxs.com",
"src_ip": "192.168.1.93",
"src_port": 55927,
"uid": "Ctr8MRZepl9Z0r6E6",
"dest_ip": "37.252.172.40",
"resumed": true,
"ja3": "7b1ac424884b798ca987e3e27b99d1a8",
"dest_port": 443,
"timestamp": "2018-12-27T15:43:46.019Z"
}
Op 10-01-19 om 15:40 schreef Johanna Amann:
> Hi Daniel,
>
> unless I am missing something, there should be no difference in the
> signature of a resumed and a new connection for JA3. I don’t remember
> them hashing anything in that has to do with session resumption.
>
> Johanna
>
>
> On 10 Jan 2019, at 5:02, Daniel Guerra wrote:
>
>> Hi,
>>
>> I'm researching ja3 and ja3s tls signatures.
>>
>> With resumed tls connections there is no complete
>>
>> handshake etc. Does it make sense to calculate a ja3
>>
>> on resumed tls ?
>>
>> Regards,
>>
>> Daniel
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
More information about the Zeek
mailing list